Hacking the Box (Joseph Sheridan)

Transcript

1. hacking the

2. [email protected] Joseph Sheridan Started Reaction in 2009 Locally based CESG

   CHECK registered

3. penetration testing aka ethical hacking, pentesting, white hat hacking etc…

   introduction What is penetration testing? What will be covered today?

4. penetration testing aka ethical hacking, pentesting, white hat hacking etc…

   Services • Network infrastructure • Web apps • Host build reviews • Wireless networks • Database security

5. HACKING MAINFRAME THE testing network infrastructure

6. domain admin in under 30mins guess passwords the easy way

   in? < this actually happens password policy

7. the easy way in? the awful passwords we find: Blank

   • SQL Server • Gary McKinnon blank root pentagon Password01 Company name Football team Swear words Their own username

8. more easiness look for unpatched servers e.g. how about an

   internet-facing host with no firewall and missing critical security patches MS04-011 MS06-040 MS08-067 MS09-050 / LSASS / Canonicalisation / Netapi / Negotiate Function Table

9. MS09-050 owned over the internet

10. password cracking dictionary attack brute-force rainbow tables

11. None

12. sharing != caring when you have found a password for…

    oh, say a local administrator account chances of another account having the same password = HIGH

13. HACKING INTERNET THE testing web applications

14. user enumeration knowing a list of users makes brute-forcing significantly

    easier
15. None

16. stale cookies a user’s account is session only as secure

    as his token

17. stale cookies e.g. once upon a time, we found the

    following session token… MDEzODM0MDg4NzM= which translates from Base64 to… 0 1 3 8 3 4 0 8 8 7 3 always zero random sequential (every login) get any active session by enumerating through 9999 values (approx 10mins in this case)
18. None

19. xss <p>No results found for <?=$_GET[“search"]?></p> http://mysite.com/?search=

20. xss <p>No results found for <?=$_GET[“search"]?></p> http://mysite.com/?search= payload: <script>alert(‘xsstest’)</script>

21. xss <p>No results found for <?=$_GET[“search"]?></p> script>alert(‘xsstest’)</script> payload: <script>alert(‘xsstest’)</script>

22. xss <p>No results found for <script>alert(‘xsstest’) </script></p> script>alert(‘xsstest’)</script> payload: <script>alert(‘xsstest’)</script>

23. xss <p>No results found for <script>alert(‘xsstest’) </script></p> script>alert(‘xsstest’)</script> payload: <script>alert(‘xsstest’)</script>

    xsstest Alert!

24. SQLi Enter your username and password: Go! $query = “SELECT

    id FROM users WHERE uname=‘ ’ “ . $username . “ AND pword=‘ “ . $password . “ ’” joebloggs *********

25. SQLi joebloggs Enter your username and password: Go! $query =

    “SELECT id FROM users WHERE uname=‘ ’ ********* joebloggs AND pword=‘ ‘ OR 1=1# ’”

26. SQLi joebloggs Enter your username and password: Go! $query =

    “SELECT id FROM users WHERE uname=‘joebloggs’ ********* AND pword=‘‘ OR 1=1#’”

27. blind SQLi ‘ and if(substring((SELECT pword FROM users WHERE uname='admin‘),

    1, 1)=‘a’, benchmark(500000, MD5(‘!’)), 0)

28. blind SQLi

29. HACKING PEOPLE social engineering

30. phishing From: Company IT Helpdesk <[email protected]> To: Fred Jones <[email protected]>

    Subject: IT Helpdesk Important Information – Action Required Dear Fred, We have detected suspicious activity relating to your Company account. As a precaution, we require you to verify your details using the password management system. Failure to do so may result in revocation of your user rights. Please copy and paste the following URL into your browser: http://security.company.com/pm/?verify=982364925874578955 IT Dept. Company [email protected] This email and any files transmitted with it are confidential and are intended solely for the use of the individual to whom they are addressed. If you are not the intended recipient please notify the sender. Any unauthorised dissemination or copying of this email or its attachments and any use or disclosure of any information contained in them, is strictly prohibited. Please consider the environment before printing this email.

31. phishing users were directed to a mirrored login on our

    server how many fell for it? 9 /60

32. USB drop could be preloaded with malware or spawn outgoing

    connections leave them lying around / curiosity hand them in to receptionist / helpfulness

33. EXPLOITS: researching software vulnerabilities THE MAKING OF

34. buffer overflows ScriptFu console

35. None

36. buffer overflows

37. overflows buffer • return address • shellcode exploit contains:

38. THE [email protected] reaction information security, canterbury